Zoom’s Bug Bounty Program: 2021 in Review
Safe and secure virtual communication is a top priority at Zoom. The confidentiality and integrity of messages and meetings, as well as the availability and reliability of our global infrastructure, are the primary focuses for hundreds of our internal security engineers.
To stay ahead of threats to our users and infrastructure, we know it’s critical to build robust defenses — that’s why we continuously test our platform and infrastructure to identify emerging and potential threats and identify vulnerabilities.
Tapping into the power of the security community
While Zoom tests our solutions and infrastructure every day, we know it’s important to augment this testing by tapping the ethical hacker community to help identify edge-case vulnerabilities that may only be detectable under certain use cases and circumstances.
That is why Zoom has invested in a skilled, global team of security researchers via a private bug bounty program on HackerOne’s platform, which is the industry’s leading provider for recruiting and engaging with security-focused professionals. Private bug bounty programs are invitation-only, which allows companies to hand-pick security researchers based on their previous work. HackerOne calculates statistics for each researcher based on their signal-to-noise ratio, impact on the programs they have contributed to, and reputation, all of which help measure how relevant and actionable their findings will be.
Zoom has recruited over 800 security researchers on the HackerOne platform. Their collective work has resulted in the submission of numerous bug reports, and awards of over $2.4 million in bounty payments, swag, and gifts since the program was introduced. In 2021 alone, Zoom awarded over $1.8 million across 401 reports. We would like to thank everyone who has responsibly disclosed bugs to Zoom, and most especially the following researchers who have made our “Top 10” list:
How we approach recruitment
This past year, our Vulnerability Management and Bug Bounty (VMBB) team focused on navigating a competitive recruitment landscape and attracting more “rock star” security researchers to join our program by providing them with an excellent experience.
To attract top talent, we established the following five principles to help guide and improve our program:
- Clear and concise program policies that spell out what types of testing are allowed, details regarding the program’s “Safe Harbor” policy, and a menu of potential bounty payout ranges for specific types of vulnerability reports.
- Consistently increasing the breadth of the attack surface, also known as the “scope” of a bug bounty program, and clearly defining what is specifically out of scope, or off-limits.
- Minimizing program response, remediation, and payout time frames. Nobody likes to wait to feel heard or to be paid for their work, and this includes ethical hackers.
- Professional relationships and direct rapport with the Zoom employees who manage the bug bounty program, triage report submissions, and determine bounty payments.
- Competitive bounties that accurately reflect the work done by the researchers and the severity of the impact a vulnerability may have if exploited.
Evolving our program
To support existing researchers and attract new blood, Zoom also implemented several key updates to our bug bounty program in 2021. This included:
- We moved away from a static bounty range based only on the severity of the vulnerability reported, and implemented a “Bounty Menu.” This menu provides researchers with specific bounty amounts based on the type of vulnerability found and the demonstrated impact it may have on Zoom’s users and infrastructure. In January 2021, Zoom raised the top end of the bounty table to $50,000 for a single report and the bottom end to $250.
- We enabled a public Vulnerability Disclosure Program (VDP), which allowed anyone, not just established security researchers, to submit vulnerability reports to Zoom. This has streamlined the intake of reports and allows the right teams at Zoom to get involved rapidly, which ultimately leads to faster bug remediations and a more secure product.
- In October 2021, we launched our VIP Bug Bounty program. This program is focused on the licensed versions of Zoom solutions and has expanded the scope of security testing.
- Throughout 2021, the Zoom VMBB team focused on decreasing initial response, triage, remediation, and bounty payout times. Our current metrics show that the average initial response time is just under four hours while full triage of an incoming report typically takes less than 48 hours. Bounty payments are discussed and reviewed by the team weekly, which means bounties are usually paid within 14 days of report submission.
- To help establish ongoing relationships with our researchers, Zoom has hosted several meet-and-greet Zoom meetings with researchers around the world. From college students and professors to gifted teenagers just learning to hack to everyday Zoom users who “noticed something weird,” there’s incredible diversity within the ethical hacker community.
We’ve learned and grown so much in 2021, and we’re excited to expand these efforts and work with more ethical hackers in 2022. If you’re interested in helping to make Zoom more secure, email your HackerOne profile name to [email protected] or visit the Zoom careers page to review the open positions within the Trust and Security teams. Happy hacking!
To learn more about Zoom privacy and security, explore our Trust Center.